Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
z
Zach Zeid
11/17/2022, 6:59 PMdoes osquery have a way to gather was VSCode extensions are installed on a Mac?
g
Gavin
11/17/2022, 7:20 PMYou can write a custom extension to shell out to code and run the --list-extensions
Or use the
fileSELECT
f.filename,
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime,'unixepoch') AS file_last_access_time,
datetime(f.mtime,'unixepoch') AS file_last_modified_time,
datetime(f.ctime,'unixepoch') AS file_last_status_change_time,
datetime(f.btime,'unixepoch') AS file_created_time,
ROUND((f.size * 10e-7),4) AS size_megabytes
FROM file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE ((f.directory like "/home/%%/.local/share/JetBrains/%/")
OR (f.directory like "C:\users\%\AppData\%\JetBrains\%\Plugins\")
OR (f.directory like "/Users/%/Library/Application Support/JetBrains/%/plugins/"))
AND (
(filename not like "%.xml") AND (filename not like "%.json") AND
(filename not like "%.etag")
);z
Zach Zeid
11/17/2022, 8:09 PMthis helps thank you!
s
seph
11/17/2022, 10:09 PMThey’re stored in user homedirs. So you can dig through them, and parse the json. (Though there’s no native osquery json table)